OpenBSD Journal

Recently, Theo de Raadt (deraadt@)
described
a new type of mitigation he has been working on together with Stefan Kempf (stefan@):

How about we add another new permission! This is not a hardware
permission, but a software permission. It is opportunistically
enforced by the kernel.
the permission is MAP_STACK. If you want to use memory as a stack,
you must mmap it with that flag bit. The kernel does so automatically
for the stack region of a process's stack. Two other types of stack
occur: thread stacks, and alternate signal stacks. Those are handled
in clever ways.
When a system call happens, we check if the stack-pointer register
points to such a page. If it doesn't, the program is killed. We
have tightened the ABI. You may no longer point your stack register
at non-stack memory. You'll be killed. This checking code is MI, so
it works for all platforms.

Once in Dunedin the hacking commenced. The background was a regular
tick of new meltdown diffs to test in addition to whatever work one
was actually engaged in. I was lucky (?) in that none of the problems
with the various versions cropped up on my laptop.

Meltdown mitigation is coming to OpenBSD. Philip Guenther (guenther@) has just committed a diff that implements a new mitigation technique to OpenBSD: Separation of page tables for kernel and userland. This fixes the Meltdown problems that affect most CPUs from Intel. Both Philip and Mike Larkin (mlarkin@) spent a lot of time implementing this solution, talking to various people from other projects on best approaches.

As you may have heard, the a2k18 hackathon is in progress. As can be seen from the commit messages, several items of goodness are being worked on.

One eagerly anticipated item is the arrival of TCP syncookies (read: another important tool in your anti-DDoS toolset) in PF. Henning Brauer (henning@) added the code in a series of commits on February 6th, 2018, with this one containing the explanation:

It was not my first EuroBSDcon but the first time I delivered a talk!
I feared that only few people will show up at to my talk since
Michael W. Lucas had his talk at the same time and also covered an
OpenBSD topic. But the room was full and my talk was well received.

After the talk I received a nice gift from the EuroBSDcon organizers:
a cartoonist made drawings from the presenters during the talks!

Details of the
2018 campaign have been added to the Foundation's website. The goal for the
year is for $300,000. The total for "smaller" donations has already
taken the OpenBSD community to bronze level sponsorship!

2018-02-08SECURITYA flaw was found in the way unbound validated wildcard-synthesized NSEC records. An improperly validated wildcard NSEC record could be used to prove the non-existence (NXDOMAIN answer) of an existing wildcard record, or trick unbound into accepting a NODATA proof.